From 19bab5914a353e1b2878b2d87b665625c00861cf Mon Sep 17 00:00:00 2001
From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com>
Date: Mon, 29 Jul 2024 23:42:10 +0200
Subject: [PATCH] remove defusedxml in favor of lxml (#9840)

* update to docs

* fix
---
 docs/content/en/contributing/how-to-write-a-parser.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/content/en/contributing/how-to-write-a-parser.md b/docs/content/en/contributing/how-to-write-a-parser.md
index 113322ece5..8954511134 100644
--- a/docs/content/en/contributing/how-to-write-a-parser.md
+++ b/docs/content/en/contributing/how-to-write-a-parser.md
@@ -142,6 +142,12 @@ Very bad example:
     finding.unsaved_endpoints = [endpoint]
 ```
 
+### Use the right libraries to parse information
+Various file formats are handled through libraries. In order to keep DefectDojo slim and also don't extend the attack surface, keep the number of libraries used minimal and take other parsers as an example.
+
+#### defusedXML in favour of lxml
+As xml is by default an unsecure format, the information parsed from various xml output has to be parsed in a secure way. Within an evaluation, we determined that defusedXML is the library which we will use in the future to parse xml files in parsers as this library is rated more secure. Thus, we will only accept PRs with the defusedxml library. 
+
 ### Not all attributes are mandatory
 
 Parsers may have many fields, out of which many of them may be optional.